AWS PrivateLink

What is an AWS PrivateLink?

AWS PrivateLink is an AWS service (supported by Snowflake) that allows you to create private VPC (Virtual Private Clouds) endpoints for direct, secure connectivity between your AWS VPCs and the Snowflake VPC without going through the public internet. A maximum of five PrivateLinks can be enabled in your environment. This document outlines the steps to configure Snowflake-AWS PrivateLink.

Pre-requisites

To configure Snowflake-AWS PrivateLink, you must have the following:

• Access to an AWS account with permissions to create VPC endpoints and DNS Hosted Zones.

• Access to a Snowflake account with ACCOUNTADMIN permissions.

Steps to follow (on Snowflake side)

1. Login to your Snowflake account with ACCOUNTADMIN permissions and run the following command, using the federation token output from Step 1 on AWS side. This command authorizes Snowflake to access your AWS resources.

use role accountadmin;
# update 185 with 12-digit identifier of AWS Account
# update second argument with JSON from step 2

select system$authorize_privatelink (
    '185...',
    '{
       "Credentials": 
       {
           "AccessKeyId": "ASI...",
           "SecretAccessKey": "enw...",
           "SessionToken": "Fwo...",
           "Expiration": "2021-01-07T19:06:23+00:00"
       },

       "FederatedUser": {
           "FederatedUserId": "185...:sam",
           "Arn": "arn:aws:sts::185...:federated-user/sam"
       },
       "PackedPolicySize": 0
    }'
  );

2. On the Snowflake worksheet, run and save the output of the following command. It provides the necessary configurations to enable internal stages on Snowflake.

select SYSTEM$GET_PRIVATELINK_CONFIG();

3. Run the following command to enable internal stages on Snowflake and display the configuration settings:

use role accountadmin;
alter account set enable_internal_stages_privatelink = true;
select key, value from table(flatten(input=>parse_json(system$get_privatelink_config())));

Steps to follow (On AWS Side)

1. Creating a new user needs to be created on AWS with this policy attached via a group.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:GetFederationToken",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Using the AWS access credentials created for this account, you can set up AWS CLI and then run the following command to retrieve temporary security credentials to authorize Snowflake to access AWS resources.

aws sts get-federation-token --name tellius-sf-01

1. Create a VPC Endpoint on the AWS console for tunneling PrivateLink endpoints. Enter the resource ID of privatelink-vpce-id from the saved JSON and click verify and create.

1. Create a private DNS Hosted Zone in AWS Route53 on the same VPC as the Kubernetes cluster/instance. This can be the same as the node groups VPC, subnet, and Security Group.

1. Add CNAMEs for the URLs printed in the JSON using the following format:

• Record type: CNAME

• Name: <repeat n from JSON>

• Address: <DNS Name of VPC Endpoint from the previous step>

• TTL: 30 seconds

1. In the AWS Console, navigate to the EC2 dashboard and click on Security Groups in the left-hand navigation panel.

2. Click on the Create Security Group button and create a new security group with inbound and outbound rules that allow traffic from the VPC endpoint security group to the appropriate node group of the Kubernetes cluster for ports 80 and 443.

3. With these steps, you should now have a fully functional Snowflake-AWS PrivateLink environment that allows you to securely access data from Snowflake through a private network connection.

Points to remember

1. Make sure that the security groups of both VPC endpoints contain inbound and outgoing rules to the proper Kubernetes cluster node group for ports 80 and 443.

2. When creating the VPC endpoint, make sure to select the VPC and subnet where your Kubernetes cluster/instance is running, and also make sure to choose the appropriate security group that allows traffic from the Kubernetes cluster.

3. When creating the private DNS-hosted zone, make sure to choose the same VPC as the Kubernetes cluster/instance and add CNAME records for all the URLs printed in the JSON output from Step 2.

4. When creating the VPC endpoint for tunneling PrivateLink endpoints, make sure to select the appropriate resource ID of the endpoint and verify the settings before creating.

5. Also, note that Snowflake charges additional fees for using PrivateLink, and it is important to review the pricing and billing documentation to understand the costs associated with using this feature.

Reference

The exact steps may vary depending on your specific setup, and it is important to consult the official Snowflake and AWS documentation for detailed instructions and best practices.